Two independent medical practices in Minnesota once hoped to expand operations but have spent the past year struggling to recover from the cyberattack on a vast UnitedHealth Group payment system.

Odom Health & Wellness, a sports medicine and rehabilitation outfit, and the Dillman Clinic & Lab, a family medicine practice, are among the thousands of medical offices that experienced sudden financial turmoil last year. The cyberattack against Change Healthcare, a division of Eden Prairie-based UnitedHealth, paralyzed much of the nation’s health care payment system for months.

Change lent billions of dollars to medical practices that were short on cash but has begun demanding repayments.

Dillman and Odom are suing UnitedHealth in U.S. District Court in Minneapolis, accusing it of negligence related to the cyberattack and claiming they sustained excessive expenses because of the attack’s fallout.

In addition, Odom and Dillman asserted in court filings that the company’s insurance arm, UnitedHealthcare, has in turn been denying claims to cover patient care for being submitted late.

Risk of consolidation

Lawmakers viewed the chaos caused by the cyberattack as a result of UnitedHealth’s seemingly insatiable desire to buy up companies like Change, alongside doctors’ practices and pharmacy businesses. The widespread disruption was a reminder of how deeply UnitedHealth’s sprawling subsidiaries had become embedded in the nation’s health care system.

“This is yet another sign that the rapid consolidation of major health care companies has harmed, rather than helped, American patients and doctors,” Sen. Ron Wyden, D-Ore., said of the financial bind that the cyberattack had placed on practices.

Last month, the American Medical Association sent a letter to Optum, the UnitedHealth division that owns Change, saying that it was concerned that many practices were being pressured to repay loans despite continued financial difficulties from the cyberattack.

Since March 2024, Change had provided $9 billion in interest-free loans to more than 10,000 medical providers, including $569,680 to Odom, in Eden Prairie, and $157,600 to Dillman, in Lakeville.

A year later, roughly $5.5 billion had been repaid, United said in court filings. About 3,500 practices, including Odom, Dillman and six other plaintiffs in the lawsuits, had made no repayments as of April 1. Several other practices and patients have also filed suits.

In a statement, Change said it would “continue to actively work with providers to identify flexible repayment plans based on the individual circumstances of providers and their practices.”

It added, “We have also worked with UnitedHealthcare to ensure the claims it receives are reviewed in light of the challenges providers experienced, including waiving timely filing requirements for the plans under its control.”

Change’s practices

Change compared its efforts to recoup loans to those by the Centers for Medicare and Medicaid Services. After the cyberattack, CMS provided accelerated payments to practices to cover Medicare billings delayed by the cyberattack. It has since garnished Medicare claims to recoup the funds.

In court filings, United cited data showing that only a small percentage of Odom’s and Dillman’s health care claims were rejected for being “untimely,” although those denials increased after the cyberattack.

Calling the plaintiffs’ motions a “collective shakedown,” United has also requested that the district court reject their request for an injunction against repayment, arguing that they did not have the right to interfere in its business with thousands of other loan recipients.

An injunction, United argued, could be used by other medical practices to “hold hostage billions of dollars.”

Scope of cyberattack

At the time of the cyberattack, Change’s medical-billing clearinghouse processed about 45% of the nation’s health care transactions, or about $2 trillion annually. The company had to take its services offline in February 2024 to contain damage from the attack, halting much of the health care system’s cash flow and unleashing chaos.

The associated breach of private information was the largest reported in U.S. health care history. In January, United increased the reported number of people whose personal data had been exposed to 190 million from 100 million.

The U.S. Department of Health and Human Services’ Office of Civil Rights opened an investigation into the ransomware attack in March 2024.

Company officials have said that the hackers infiltrated Change’s systems by obtaining compromised login credentials and using a portal for entry that did not require multifactor authentication.

United officials confirmed that the company had paid a $22 million ransom to the Russian cybercriminals who claimed responsibility. The corporation reported in a January earnings report that the cyberattack had by then cost $3.1 billion.

Reimbursements didn’t begin to channel relatively freely through Change until June 2024, although United said that some of its systems had taken longer to come back online and that a few were still not at 100%

At congressional hearings in May 2024, senators slammed Andrew Witty, United’s CEO, for how the company had handled the cyberattack and the disruption it caused thousands of providers. Witty testified that the company had “no intention of asking for repayment until providers determine their business is back to normal.”

‘Being processed’

The loan terms stipulated that Change would not demand repayment until “after claims processing and/or payment processing services and payments impacted during the service disruption period are being processed.”

The meaning of “being processed” is now at the center of the court cases.

Change began seeking repayment from Dillman and Odom through what the medical practices characterized in court filings as a succession of increasingly aggressive letters. Both practices told Change they were unable to repay and neither accepted repayment plan offers. Change then in January demanded full repayment and threatened to withhold future reimbursements for patients’ health care.

“It’s disappointing but not surprising that UnitedHealth Group has decided to prioritize its bottom line over the well-being of families and small businesses,” said Wyden, who led the Senate hearing on the cyberattack.